Administering Container-to-Container Networking

This topic describes how to configure the Container-to-Container Networking feature. For an overview of how Container-to-Container Networking works, see the Understanding Container-to-Container Networking topic.

Enable Container-to-Container Networking

The Ops Manager Elastic Runtime tile enables Container-to-Container Networking for Pivotal Cloud Foundry (PCF) by default. To configure Container-to-Container Networking in Ops Manager, perform the following steps:

  1. In Ops Manager, navigate to the Installation Dashboard > Elastic Runtime tile.

  2. In the Networking pane, keep Enable Container-to-Container Networking selected.

    Enable Container-to-Container Networking

  3. (Optional) Enter an IP range for the overlay network in the Network CIDR box. If you do not set a custom range, Ops Manager uses 10.255.0.0/16.

    NOTE: The overlay network IP range must not conflict with any other IP addresses in the network. If there is a conflict, the Diego cells cannot reach any endpoint that has a conflicting IP address. See App Instance Communication for more information.

  4. (Optional) Enter a UDP port number in the VXLAN Tunnel Endpoint Port box. If you do not set a custom port, Ops Manager uses 4789.

    Specify the host port for receiving VXLAN packets

  5. Click Save.

  6. Return to the Installation Dashboard.

Configure the Overlay Network

Container-to-Container Networking uses an overlay network to manage communication between app instances. By default, each Diego cell in the overlay network is allocated a /24 range that supports 254 containers per cell, one container for each of the usable IP addresses, .1 through .254. For more information about the overlay network, see Overlay Network in Understanding Container-to-Container Networking.

Configure the Number of Diego Cells

If you want to modify the number of Diego cells supported by the overlay network, follow the steps below:

  1. In Ops Manager, select the PAS tile.
  2. Select Networking.
  3. Under Overlay Subnet, enter an IP range for the overlay network. By default, Ops Manager uses 10.255.0.0/16. Modifying the subnet range allocated to the overlay network changes the number of Diego cells supported in your deployment. Use the table below as a reference.
Overlay subnet mask Number of cells Containers per cell
/20 63 254
/16 255 254
/12 4,095 254

Warning: The overlay network IP address range must not conflict with any other IP addresses in the network. If a conflict exists, Diego cells cannot reach any endpoint that has a conflicting IP address.

Create Policies for Container-to-Container Networking

This section describes how to create and modify Container-to-Container Networking policies using a plugin for the Cloud Foundry Command Line Interface (cf CLI). The cf CLI only supports configuring policies for apps within the same space. To configure policies for apps in different orgs and spaces, use the Policy Server External API.

To use the plugin, you must have either the network.write or network.admin UAA scope.

UAA Scope Suitable for… Allows users to create policies…
network.admin operators for any apps in the CF deployment
network.write space developers for apps in spaces that they can access

If you are a CF admin, you already have the network.admin scope. An admin can also grant the network.admin scope to a space developer.

For more information, see Creating and Managing Users with the UAA CLI (UAAC) and Orgs, Spaces, Roles, and Permissions.

Install the Plugin

Follow these steps to download and install the Network Policy plugin for the cf CLI:

  1. Download the network-policy-plugin for your operating system from the Container-to-Container Networking Release repository.

  2. To change the permissions of the plugin file and complete the installation, enter the following commands:

    $ chmod +x ~/Downloads/network-policy-plugin
    $ cf install-plugin ~/Downloads/network-policy-plugin
    

Create a Policy

To create a policy that allows direct network traffic from one app to another, enter the following command:

$ cf allow-access SOURCE-APP DESTINATION-APP --protocol PROTOCOL --port PORT

Replace the placeholders in the above command as follows:

  • SOURCE-APP is the name of the app that will send traffic.
  • DESTINATION-APP is the name of the app that will receive traffic.
  • PROTOCOL is one of the following: tcp or udp.
  • PORT is the port at which to connect to the destination app. The allowed range is from 1 to 65535.

The following example command allows access from the frontend app to the backend app over TCP at port 8080:

$ cf allow-access frontend backend --protocol tcp --port 8080
Allowing traffic from frontend to backend as admin...
OK 

List Policies

You can list all the policies in your deployment or just the policies for which a single app is either the source or the destination:

  • To list the all the policies in your deployment, enter the following command:

    $ cf list-access
    
  • To list the policies for an app, enter the following command:

    $ cf list-access --app MY-APP
    

    The following example command lists policies for the app frontend:

    $ cf list-access --app frontend
    Listing policies as admin...
    OK
    
    Source    Destination    Protocol    Port
    frontend  backend        tcp         8080
    

Delete a Policy

To delete a policy that allows direct network traffic from one app to another, enter the following command:

$ cf remove-access SOURCE-APP DESTINATION-APP --protocol PROTOCOL --port PORT

The following command deletes the policy that allowed the frontend app to communicate with the backend app over TCP on port 8080:

$ cf remove-access frontend backend --protocol tcp --port 8080
Denying traffic from frontend to backend as admin...
OK 

Create a pull request or raise an issue on the source for this page in GitHub